Description

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=2050228

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt

https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076

Related Vulnerabilities

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http

CVE-2022-29253 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2023-48967 Vulnerability in maven package org.noear:solon.serialization.fury

CVE-2021-21685 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-24821 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-skinx

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Issue Tracking Vendor Advisory Exploit Third Party Advisory